CVE-2026-44722: CWE-480: Use of Incorrect Operator in danifus pyzipper
pyzipper is a replacement for Python's zipfile that can read and write AES encrypted zip files. Prior to 0.4.0, a Python operator precedence bug in pyzipper/zipfile_aes.py caused the AE-2 format to never be automatically selected during encryption, causing encrypted entries to be written in AE-1 format and exposing the plaintext CRC32 checksum in the ZIP header and, for unseekable zip archives, in the datadescripter section, allowing an attacker who possesses the archive to brute-force candidate plaintexts for small or low-entropy files by comparing CRC32 values. This issue is fixed in version 0.4.0.
AI Analysis
Technical Summary
The vulnerability in pyzipper (CVE-2026-44722) arises from incorrect operator usage in the pyzipper/zipfile_aes.py module prior to version 0.4.0. This bug causes the AE-2 encryption format to never be selected automatically during encryption, resulting in the use of the AE-1 format instead. AE-1 encryption exposes the plaintext CRC32 checksum in the ZIP header and datadescriptor, which can be leveraged by an attacker possessing the archive to brute-force plaintexts of small or low-entropy files by comparing CRC32 values. The vulnerability has a CVSS 3.1 base score of 6.2 (medium severity) and does not affect integrity or availability, only confidentiality. The issue is resolved in pyzipper version 0.4.0.
Potential Impact
Confidentiality is impacted because the plaintext CRC32 checksum is exposed in encrypted ZIP files using AE-1 format instead of AE-2. This exposure enables an attacker with access to the archive to perform brute-force attacks on small or low-entropy files by comparing CRC32 checksums, potentially revealing plaintext content. There is no impact on integrity or availability.
Mitigation Recommendations
Upgrade to pyzipper version 0.4.0 or later, where this issue is fixed by correctly selecting the AE-2 encryption format during encryption. No other mitigations are indicated. Patch status is confirmed by the vendor advisory stating the fix is in version 0.4.0.
CVE-2026-44722: CWE-480: Use of Incorrect Operator in danifus pyzipper
Description
pyzipper is a replacement for Python's zipfile that can read and write AES encrypted zip files. Prior to 0.4.0, a Python operator precedence bug in pyzipper/zipfile_aes.py caused the AE-2 format to never be automatically selected during encryption, causing encrypted entries to be written in AE-1 format and exposing the plaintext CRC32 checksum in the ZIP header and, for unseekable zip archives, in the datadescripter section, allowing an attacker who possesses the archive to brute-force candidate plaintexts for small or low-entropy files by comparing CRC32 values. This issue is fixed in version 0.4.0.
CVSS v3.1
Score 6.2medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in pyzipper (CVE-2026-44722) arises from incorrect operator usage in the pyzipper/zipfile_aes.py module prior to version 0.4.0. This bug causes the AE-2 encryption format to never be selected automatically during encryption, resulting in the use of the AE-1 format instead. AE-1 encryption exposes the plaintext CRC32 checksum in the ZIP header and datadescriptor, which can be leveraged by an attacker possessing the archive to brute-force plaintexts of small or low-entropy files by comparing CRC32 values. The vulnerability has a CVSS 3.1 base score of 6.2 (medium severity) and does not affect integrity or availability, only confidentiality. The issue is resolved in pyzipper version 0.4.0.
Potential Impact
Confidentiality is impacted because the plaintext CRC32 checksum is exposed in encrypted ZIP files using AE-1 format instead of AE-2. This exposure enables an attacker with access to the archive to perform brute-force attacks on small or low-entropy files by comparing CRC32 checksums, potentially revealing plaintext content. There is no impact on integrity or availability.
Mitigation Recommendations
Upgrade to pyzipper version 0.4.0 or later, where this issue is fixed by correctly selecting the AE-2 encryption format during encryption. No other mitigations are indicated. Patch status is confirmed by the vendor advisory stating the fix is in version 0.4.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-07T18:04:17.308Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a5b5eb82d1edb114c7fb6b3
Added to database: 07/18/2026, 11:08:40 UTC
Last enriched: 07/18/2026, 12:00:39 UTC
Last updated: 07/18/2026, 13:20:49 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.